Rewterz Threat Alert – Plugx Delivered by Covid-Themed Documents
March 19, 2020Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020Severity
High
Analysis Summary
| As news spread that COVID’19 patients recently got shot in North Korea, The Kimsuky APT group from North Korea used the controversy to trap curious victims. The APT is spreading a .doc document titled “COVID-19 and North Korea” to lure its targets into opening the malicious document. Apart from the document, other indicators of compromise have also been retrieved that indicate an infection chain from the Kimsuky APT group. The Kimsuky group is a North Korean APT group, also known by other names including Velvet Chollima and Black Banshee, and sometimes perceived to be state-sponsored, generating revenues with its malicious activities. |
Impact
- Information theft
- Credential Theft
- Exposure of sensitive information
Indicators of Compromise
Filename
COVID-19 and North Korea[.]docx
Hostname
crphone[.]mireene[.]com
mybobo[.]mygamesonline[.]org
MD5
a4388c4d0588cd3d8a607594347663e0
SHA-256
7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015
SHA1
b066369bbd48b7858f2c1eed1e78d85c8ae4cdb6
URL
- http[:]//crphone[.]mireene[.]com/plugin/editor/Templates/normal[.]php?name=web
- http[:]//crphone[.]mireene[.]com/plugin/editor/Templates/
- http[:]//crphone[.]mireene[.]com/plugin/editor/
- http[:]//mybobo[.]mygamesonline[.]org/flower01/post[.]php
- http[:]//mybobo[.]mygamesonline[.]org/flower01/flower01[.]down
Remediation
- Block the threat indicators at their respective controls.
- Do not download Corona-related files from any random source.